Skip to content

Instantly share code, notes, and snippets.



Created Mar 20, 2019
What would you like to do?
Transparent sslh to ssh (get IPs for fail2ban or Match rules) - without iptables
verbose: 1;
foreground: true;
inetd: false;
transparent: true;
user: "sslh";
pidfile: "/var/run/";
syslog_facility: "auth";
listen: ({ host: ""; port: "443"; });
protocols: ({
name: "ssh"; service: "ssh"; host: ""; port: "22";
log_level: 5;
Description=SSL/SSH multiplexer
ExecStart=/usr/sbin/sslh -F /etc/sslh/sslh.cfg
# Add the ip rules and route to enable Transparent Proxy
ExecStartPre=/sbin/ip rule add fwmark 0x1 lookup 100
ExecStartPre=/sbin/ip route add local dev lo table 100
ExecStartPre=/sbin/ip rule add from table 100
ExecStartPre=/sbin/ip route flush cache
# Remove the ip rules and route to enable Transparent Proxy
ExecStopPost=/sbin/ip rule del fwmark 0x1 lookup 100
ExecStopPost=/sbin/ip route del local dev lo table 100
ExecStopPost=/sbin/ip rule del from table 100
ExecStopPost=/sbin/ip route flush cache

This comment has been minimized.

Copy link
Owner Author

@voltagex voltagex commented Mar 20, 2019

Notes: this is set up for some extra logging at the moment.

On Debian/Ubuntu, /etc/default/sslh is set up, /etc/sslh/sslh.cfg is not.

Use /usr/sbin/sslh -F /etc/sslh/sslh.cfg because debugging through journalctl is a pain

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment